Java Web Security Antipatterns

Transcription

1 Java Web Security Antipatterns JavaOne 2015 Dominik Schadow bridgingit

2 Failed with nothing but the best intentions

3 Architect Implement Maintain

4 Architect Skipping threat modeling

5 Software that is secure by design Know the web application Know all external entities Know all data flows Identify all risks

6 Threat model

7 Avoid design flaws

8

9

10 Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker [ ]. Bruce Schneier

11 Implement User passwords stored as plaintext encrypted trivially hashed

12

13 Passw0rd$ d281fdbe0555b913d1c29f99143a3ad7bc66cf83 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD

14 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD

15 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 MD5 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD

16 Passw0rd$ SHA1 d281fdbe0555b913d1c29f99143a3ad7bc66cf83 MD5 2e2c68bc1e9187cc6919fcb8564f1483 AKNtqLC_DZM32Jk7pgF4FpRVapo6QFEdROpsflwHkw 2q6rfK2mev4fAQFlRXbH2DecJTYLvF3LMD AES

17 Slow down brute force attacks

18 PBKDF2 Iterations against brute force attacks Available in plain Java

19 Demo

20 bcrypt Iterations against brute force attacks Integrated in Spring Security

21 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

22 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

23 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

24 public class WebSecurityConfig extends WebSecurityConfigurerAdapter public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

25 scrypt Memory against brute force attacks Best protection against dictionary attacks

26 Increase # iterations with faster hardware

27 Set period of time to change passwords User logs in successfully Period of time expired Calculate new salt Set not changed passwords to null Calculate new hash User tries to log in Update hash & salt Force password reset process

28 Enforce length limit on password fields

29 <h:inputsecret id="password" maxlength="1024"> <f:validatelength minimum="10" maximum="1024"/> </h:inputsecret>

30 <h:inputsecret id="password" maxlength="1024"> <f:validatelength minimum="10" maximum="1024"/> </h:inputsecret>

31 private byte[] hash(pbekeyspec keyspec) { return secretkeyfactory.generatesecret (keyspec).getencoded(); }

32 private byte[] hash(pbekeyspec keyspec) { return secretkeyfactory.generatesecret (keyspec).getencoded(); }

33 Implement Changing password Changing address

34

35 Prevent unintended password change Cross-Site Request Forgery vulnerability Session id knowledge

36

37

38 Implement Disabling pasting passwords Delivering log-in form via HTTP

39 Disabling pasting into password fields Does not stop any attack Does not provide any more security Does frustrate users

40

41 HTTP log in page puts security in jeopardy

42 Link to dedicated HTTPS log in page

43 Force HTTPS for the whole page

44 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }

45 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }

46 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }

47 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }

48 @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age= "); chain.dofilter(req, response); } // }

49 HSTS stops any insecure communication Requires HTTPS connection No effect on HTTP connections All resources via HTTPS Includes scripts, images, Requires valid certificate No self-signed certificates any more

50 Implement Not logging security events

51 Logging forensics after an event

52 Log in and log out is a security event

53 OWASP Security Logging SECURITY_SUCCESS Successful security check (e.g. successful login) SECURITY_FAILURE Failed security check (e.g. failed login) SECURITY_AUDIT Record security events for audit (e.g. account edited)

54 Use an always active log level or separate log file

55 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);

56 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);

57 log.warn( SecurityMarkers.SECURITY_AUDIT, "User {} has edited his account, username);

58 Implement Skipping session configuration Keeping session id after log-in

59 <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-war-plugin</artifactid> <version>2.6</version> <configuration> <failonmissingwebxml> false </failonmissingwebxml> </configuration> </plugin>

60 <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-war-plugin</artifactid> <version>2.6</version> <configuration> <failonmissingwebxml> false </failonmissingwebxml> </configuration> </plugin>

61 web.xml is a rich source for security configuration

62 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

63 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

64 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

65 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

66 <web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

67 User usually receives a session id when entering web application

68 4E01EF46D8446D1C 10CB5C08EDA69DD1

69 Session hijacking Attacker steals the session id

70 Session fixation Attacker dictates the session id

71 Have an always visible logout button

72 <form method="post"> <button type="submit">log out</button> </form>

73 <form method="post"> <button type="submit">log out</button> </form>

74 <form action="/logout" method="post"> <input type="hidden" name="${_csrf.parametername}" value="${_csrf.token}"/> <input type="submit" value="logout"/> </form>

75 <form action="/logout" method="post"> <input type="hidden" name="${_csrf.parametername}" value="${_csrf.token}"/> <input type="submit" value="logout"/> </form>

76 Limit session duration web.xml

77 Force HTTPS HSTS

78 Change session id after log in

79 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }

80 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }

81 @WebServlet public class Login extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.changesessionid(); //... } }

82 Invalidate session after log out

83 @WebServlet public class Logout extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.getsession().invalidate(); //... } }

84 @WebServlet public class Logout extends HttpServlet { protected void dopost(httpservletrequest request, HttpServletResponse response) { //... request.getsession().invalidate(); //... } }

85 Demo

86 Maintain Using outdated libraries

87 Frameworks and libraries decline

88

89

90 <reporting> <plugins><plugin> <groupid>org.owasp</groupid> <artifactid>dependency-check-maven</artifactid> <version>1.3.1</version> <reportsets> <reportset> <reports> <report>aggregate</report> </reports> </reportset> </reportsets> </plugin></plugins> </reporting>

91

92 Summary

93 Plan security with threat modeling Think (like an attacker) during implementation Keep 3rd party libraries up-to-date

94 Enjoy secure programming

95 Koenigstr Stuttgart Germany Blog blog.dominikschadow.de Demo Projects github.com/dschadow/javasecurity HTTP Strict Transport Security RFC tools.ietf.org/html/rfc6797 Microsoft Threat Modeling Tool threatmodeling.aspx Mozilla SeaSponge air.mozilla.org/mozilla-winter-of-securityseasponge-a-tool-for-easy-threat-modeling OWASP Dependency Check OWASP_Dependency_Check OWASP Security Logging OWASP_Security_Logging_Project Spring Security projects.spring.io/spring-security Pictures